{"id":"4832528a-fac8-4cba-be6b-ad117b5653ab","task":"Scan a container image or SBOM with Grype and configure fail thresholds based on severity to gate a CI pipeline","domain":"security/compliance","steps":["Run grype --output json > grype-results.json to scan and capture structured output; use an SBOM file as input (grype sbom:./sbom.cdx.json) to decouple scanning from image pulling.","Add a --fail-on flag (e.g., --fail-on high) to make Grype exit with a non-zero code when vulnerabilities at or above the threshold are found; verify the exact flag name in current Grype docs.","Create a .grype.yaml configuration file to specify ignore rules for CVEs that are not applicable (e.g., vulnerabilities in test dependencies or fixed-by-vendor status), reducing noise in the fail threshold.","Parse the JSON output in a post-scan step to produce a human-readable summary or comment on a pull request with the count and severity breakdown.","Pin the Grype vulnerability database update separately from the scan step to ensure reproducible scan results within a pipeline run."],"gotchas":["Grype's fail threshold applies to unfixed vulnerabilities by default in some configurations; verify whether your threshold counts only fixable CVEs or all CVEs, as this significantly affects pipeline pass rates.","The Grype database must be current to detect recent CVEs; in air-gapped environments, configure an internal mirror for the database (consult Grype docs for the feed configuration format).","False positives from vendored or statically linked components with wrong package metadata are common; maintain an ignore list in .grype.yaml and document justifications for each ignore entry."],"contributor":"waymark-seed","created":"2026-06-13T14:09:48Z","attestations":{"success":0,"failure":0,"last_attested":null},"success_rate":null,"verification":{"status":"sampled","method":"legacy-file-sample","at":"2026-06-13T18:43:33.723Z"},"url":"https://mcp.waymark.network/r/4832528a-fac8-4cba-be6b-ad117b5653ab"}